Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

rheotaxis writes "A circuit judge in Arkansas will not order the state to reveal where its computers were used to edit Wikipedia articles about former governor Mike Huckabee while he was running for President. Two Associated Press journalists used WikiScanner to track the edits to IP addresses used by the state. Writer Jon Gambrell and News Editor Kelly P. Kissel filed a suit in October 2007 asking the state to reveal which state offices used the IP addresses, because state rules don't allow using computer resources for political purposes. The director of the Arkansas Department of Information Systems, Claire Bailey, claimed in court that releasing this information would allow hackers to target these state offices."

A link to opensecrets [opensecrets.org] would have been sufficient. Most of the Media money goes to Democrats, most of the Oil money goes to Republicans.

Pointing this out is not particularly insightful; the troll mod is justified. Making Democrats out to be particularly heinous because they accept money from the RIAA is disingenuous. As far as leeches on society go, the MPAA/RIAA are not the greatest, and the issue of bribery crosses all party lines.

Making Democrats out to be particularly heinous because they accept money from the RIAA

I don't find RIAA neither heinous, nor leaching on society. At all.

But you — and a number of other slasdhdotters do. My "troll" was trying to point out, that both, the subjects of the article and the RIAA are chasing people over an IP-address. And both groups are Democrats.

I'm not exactly sure how that would be corruption or how it was an actual investigation. In Arkansas, you need to be licensed by the state or bonded with a company who is licensed to perform an investigation. If the people looking into if state computer use weren't licensed in either of those ways, calling it an investigation could possibly open them up for charges.

It looks like a moderator was afraid of information getting out. They marked an incorrect statement as informative and the correct on as off topic. And the funny thing is, with this little post (and the few others who will attempt to explain how this is off topic) will pretty much make their intention of hiding the post moot at best.

Private investigator- for only investigating only private people...lol. A high school understanding of government and civics would have told this person he was wrong. I po

Are you so stupid that you believe that you need a government issued license in order to investigate the government? Woodward and Bernstein applied to Nixon for a license to investigate him? Do your homework. We still live in a country that claims to have a free press.

It is certainly a fine concept to want a fully transparent government. We (at least those of us here at Slashdot) demand the same of our operating system. And likewise, we try to argue that "security through obscurity" is a useless endeavor.

However, the security of systems relies at some point on the obscurity of certain pieces of data. Whether it be a user password or a map of a network topology, the information itself has no real reason to be made public just for the sake of openness, one could argue.

Even considering that the system may have been used inappropriately, is the crime worth the possible destruction of the entire network at the hands of hackers? Shouldn't there be a great deal of discretion when risking opening up of confidential information that could have a severe detrimental impact on society as a whole?

I fail to see how network topology is something to be hidden, the computers either in front of a firewall and thus mappable anyway or behind one and so it doesn't really matter if you have the IPs because you cant send any traffic to them anyway.

Begging pardon for posting late to the party... Publish the IP address and have the court case. DAY OF PUBLISHING, apply at ISP for a different static IP for the network node, and use everything that is documented in the upcoming legal case. Ignorant means lacking knowledge. Stupid means slow to learn. Idiot means incapable of learning behavior. In the vein of "Fast, Good and Cheap - pick any two,"... pick two.

realistically, she is afraid the Linksys BEFSR41W made in 2001(firmware circa 2002), which they do not have the password to, "might" be "taken over" (snicker), and they would lose their "routes"... they would also lose the High encryption (WEP -- double teehee), wireless connection they use.

However, the security of systems relies at some point on the obscurity of certain pieces of data.

if it relies on obscurity, then it's not secure, period.

Whether it be a user password or a map of a network topology, the information itself has no real reason to be made public just for the sake of openness, one could argue.

A user password IS a secret, and is intended to be. Internal network topology is a way of organizing a network for administrative purposes, and is in NOT designed, nor CAN be be designed, to provide security.

Some topologies make it easier to secure certain things, yes - but that is an administrative consideration in selection of a topology made to make implementing security easier; it is not, in itself, a security measure.

Lastly.... the information was not sought "just for the sake of openness" - it was sought as part of the process to discover who had been engaged in criminal behaviour.

is the crime worth the possible destruction of the entire network at the hands of hackers?

If knowing which particular device is enough to give hackers the ability to destroy an entire network, there's a butt load and a half of network administrators working for the state that need to be fired - and the sooner, the better.

Way to pick out a keyword and use it to make an irrelevant "talking point" type response in your desperation to give the impression that the person you're replying to is an idiot.

His whole point is that all security ultimately depends on secrets. If you do not protect your passwords and your private keys by preventing attackers from finding them out, then you have no security. In other words, your security depends on the obscurity of your passwords a

The password is obscure, sure, but the underlying security mechanism shouldn't be. If you rely on the your password-checking algorithm being secret for security, this is "security through obscurity" (no security at all really because it will likely be easily reverse-engineered or discovered some other way). If, instead, the password-checking algorithm is publicly available and yet still cannot be defeated without knowing the password, you've been doing your job right. That's security.

Internal network topology is a way of organizing a network for administrative purposes, and is in NOT designed, nor CAN be be designed, to provide security

Ever heard of Network Admissions Controls?

802.1x Authentication?

The largest threats to IT security comes from internal users and internal physical access.

Locking down internal access to your network resources is one of the biggest steps you can take towards improving security. The number of organizations who leave lots of unused RJ-45 wall jacks around th

Why are you leaving a visitor alone with a network jack? When my company brings in a visitor, about the only time we leave them unattended is when they're in the cafeteria in the morning eating breakfast (and as far as I know there are no network jacks in there) and when they're in the restroom (no network jacks in there, either.)

No, that isn't exactly correct. Obscurity is good at protecting against unknown exploits that are targeted at specific agencies. This is a branch of government who might actually be a target more so then a website or something. We know there are zero day exploits and puting a sign up saying the important shit is here probably isn't the best idea.

So while security through obscurity is crap, there are still legitimate reasons for not wanting the IP locations or departments to be public knowledge.

Lastly.... the information was not sought "just for the sake of openness" - it was sought as part of the process to discover who had been engaged in criminal behaviour.

Well, no. This isn't really criminal behavior. First, Arkasas state law allows for campaigning to be done on state property if hte office or space is open to the public for this purpose without regard to political party or affiliation. Violation of that is a misdemeanor. Second, all you have so far is allegations from two reporters, you don't have any official criminal proceedings. So even if it is unethical or appears that way, there are perfectly legal ways in the State of Arkansas that it could have happened.

So the corect statement would be more like "The information was not sought "just for the sake of openness" - it was sought as part of the private endeavors to discover if someone had been engaged in criminal behavior.

If knowing which particular device is enough to give hackers the ability to destroy an entire network, there's a butt load and a half of network administrators working for the state that need to be fired - and the sooner, the better.

Government networks are gifted with resource shortages, out of date technology and so on. It's logical to expect any government network to contain routers that are 15 years old that might still have the superman password hard coded in the firmware, it's entirely possible that some agency is still using windows 2000 or worse, windows 98. A lot of the technology decisions are over ruled or determined with political expectations.

I actually work with some governments and I see this all over the place. I'm not in Arkansas but here is how the situation plays out, An group of angry citizens calls in and complains because the pot holes in from of their drive still isn't fixed and it has chewed up another tire or causes suspension damage when they hit is at 10 MPH over the speed limit(of course they don't admit to speeding). Now this is more from a local governmental perspective but it can easily transfer to higher offices with a little but different of a scenario play out. Anyways, the state or county goes and fixes the pot hole then the money to upgrade the server is missing from the budget so it has to wait another 90 days or so. Or there is a rash of crimes in the area and the police work overtime to catch the criminals or deter the crime and then the police budget is used up, cuts go from somewhere else, there goes the router upgrade until next year. And Sure, it's probably a piss poor job of communications when the IT guy can't make the case for why the routers need replaces or upgraded above the pothole being fixed or the crime wave being addressed but the people ultimately making these decisions are the emotional and political officers who depend on the public to get reelected so it is going to happen.

But this decision didn't say the network will be hacked, it said it gives the hackers a (refined) target. As I mentioned earlier, there are zero day exploits and if your subject to the will of a politician or MS or Cisco or Dell or some other company, you are going to be subjected to them. A firewall isn't always capable of protecting the computers, Symantec just had a big problem in their internet securities and firewall program

While (almost) everything you say is correct, you misunderstand what "security through obscurity" is. See my post further up [slashdot.org] for why using passwords for security is not security through obscurity.

Changing your port, in fact, does not make you computer more secure in a literal sense. Anyone who wanted to seriously look for vulnerabilities would look for open ports and they would find your ssh daemon. What it does do is prepare for the (somewhat likely) discovery of new exploits in ssh or other services

the security of systems relies at some point on the obscurity of certain pieces of data

No it doesn't. Obscurity is neither a necessary or desirable element of security.

Whether it be a user password or a map of a network topology

The first of these isn't obscurity, and the second should not result in the ability to compromise a system, so keeping it obscure won't help security (in fact, the belief that keeping it obscure is beneficial actually *reduces* your security.)

Obscurity is information that is obscured - ie hidden with the belief that an attacker won't find it. In some cases, this belief is justified (strong encryption) in others, this isn't (n

The director of the Arkansas Department of Information Systems, Claire Bailey, claimed in court that releasing this information would allow hackers to target these state offices."

Which is a good thing, because without "hackers" knowing about these IP addresses then they would not be able to "hack" the information pertaining to potential abuses. Public information is generally better left in the public; let the chips fall where they may. Of course sensitive government information probably shouldn't be on public networks anyways, and state officials should be thinking more about security than censorship. Their priorities are misplaced.

If the IP address is exposed on the internet, hiding the office that owns the device does nothing to protect it. Hackers already know the device is online. There are enough ongoing attacks on every computer on the internet that it is under constant threat already.

If the IP address is not exposed directly on the internet, then identifying the office that uses the computer tells hackers nothing about the network topology. It's not like they're asking for the subnet,

Using government resources to edit wikipedia entries does not sound like an ethical thing to do, anonymously or not. In this case, it looks like taxpayer money being used for political gain, another no-no.

I don't know how what you're saying even applies. Most Obama supporters are not in the Obama campaign, Obama's campaigns don't have access to Ohio government resources like some in Huckabee's campaign might have been in Huckabee's home state, nor did Obama ask his supporters to violate the privacy of Samuel Joseph Wurzelbacher. Don't conflate these situations needlessly. All those that misuse their government office for election gain should be held accountable. In this case, it looks like maybe those in the Huckabee campaign may been doing this, but this veil of secrecy prevents knowing whether this is true. Maybe that this was the work of an independent Huckabee supporter, but without a proper investigation, we won't know. In SJW's case, Ohio government resources aren't under Obama's jurisdiction.

Not being able to track down someone who dares to edit a Wikipedia article... Wikipedia, where the truth is made by people with enough time and zeal to monitor pages 24/7 for violations of their own little world view.

I would be careful of what you wish for. It was the mainstream news that reported things like Nixon was involved in Watergate while the mass public didn't think he did anything wrong. It was the mass media who first reported on evolution while the vast majority of the public believed in creation.

In other words, by taking that position, you could be choosing to be willfully ignorant.

Sure, I won't dispute that. Actually I would to a degree but I can ignore that just for the point of argument.

The problem is that the wisdom of the crowd is not any better in many situation. Actually, you can take 50 very intelligent people and put them with 50 unintelligent people and in no time, the collective IQ of the group will/can drop drastically.

No doubt, I agree on that point - especially (unfortunately) in America that is true of much of the public (we could discuss the poor public education in many places, the TV culture, etc for days and not say anything new) and also I think what you were saying about crowds holds especially true if any sort of danger or fear is introduced into the situation - but I would say that the majority of the people who are active on any given subject on Wikipedia generally aren't these same people....

I can sort of agree but then again, I remember back to Katrina and how Wikipedia totally ignored the fact that both the governor of Louisiana and the mayor of New Orleans failed to not only institute the emergency hurricane evacuation and preparedness plans (that they both worked out with FEMA a couple years before), but they failed to even follow the plans response guide after the situation became worse. This is just one instance I can remember, I even attempted to edit the page but anything that took the

It's wise to trust nothing really. Mainstream media is in many ways much more honest than Wikipedia. Most Media nets have their politics front and center. You know where they are coming from.

The trouble with wikipedia is that, it continually (fraudulently) touts itself as reliable, free and an information source that "anyone" can edit (a blatant lie -- they ban people every day for the unexplained self-concocted reason of "vandalism" (and ban anyone else who happens to be part of

Anyone can edit Wikipedia. The question is, may you edit Wikipedia? Sure, as long as you don't break the rules. And if you call "vandalism" an "unexplained self-concocted reason," I'd have to question your motives for editing.

After all, he's blatantly participating in a cover-up of illegal activities in the Arkansas state government.

Either that, or it's just not the job of citizens to go around doing "investigations" into relatively minor breaches of state law.

Look at it this way. Is it more likely that these journalists are true sentinels of fairness and democracy and are about to uncover a massive and elaborate plot to illegally elect Huckabee in '08, or is it more likely that they need someone concrete to point the finger at for a tabloidesque story on an ultimately inconsequential Wikipedia edit.

Corruption in government should be investigated and cleaned up, even on small scales. If you leave it alone, it will fester. And yes, using government resources for political gain is corruption.

Sure, government corruption should be investigated and cleaned up. But there is nothing pointing to this as corruption except your imagination. You are assuming an awful lot of things without any knowledge of it.

First of all, you don't know that the person who modified the page was using government resources improp

Well then file a complaint with the appropriate agencies and have it officially investigated. All this was is two reporters wanting a public map of government agencies and public IP's released so they could dig up a story.

Using reporters as police isn't exactly what I would consider a viable alternative. Even with Deep Throat and Watergate, real police and real government agencies with real authority acted on the information, not the reporters.

Is it not a reward to let things like this go unpunished? Even calling them out on it and letting people form their own opinions would be a better form of punishment than nothing at all. Not saying the guy should get ten years in federal prison, but what's he going to do next time? Or the time after that? How long will it take until they're caught?

Some politicians are never caught. They get rich off of bribes, they always get the best seat at the steak house, and they'r

Look at it this way. Is it more likely that these journalists are true sentinels of fairness and democracy and are about to uncover a massive and elaborate plot to illegally elect Huckabee in '08, or is it more likely that they need someone concrete to point the finger at for a tabloidesque story on an ultimately inconsequential Wikipedia edit.

It doesn't matter; Wikipedia should be the one deciding what they wish to share with the public (it is there Website after all). Posters and editors also have the discretion to decide if they wish to publish with Wikipedia, and if they wish to do so in a more anonymous manner or not. This should not be a state issue. If a person doesn't like the rules, then they don't have to play the game.

This isn't about transparent government v security. Security through Obscurity is the well known worst approach to security that you can have, because if anyone ever does get that information (hell bribing a sys admin can't be that hard if you really want the info) then your have no security.

Its a bogus claim and a bogus judgement. If they were claiming that it shouldn't be released because editing Wikipedia isn't actually a political thing anyway then I could see a reason to toss it out. But the risk of hackers "targetting" bits of the network is just plain bogus, the implication is that these IP addresses are therefore in some secure part of the (ARKANSAS!) government and those IP addresses have already been released. What is being asked is a map back from a known IP address to its source. Claiming that knowing the physical source would some how make security worse is like saying that "Sure you have the keys, you know where the front door is and you can get in.... but I'm not telling you the NAME of the house".

Having the IP address is like having 1600 Pennsylvania Avenue and the keys to the door but the government not telling you that it is called the "Whitehouse" for security reasons.

In terms of computer technology this appears to be the case. In the real world one could have brute force security, like the military has weapons and soldiers, but in the military camouflage (i.e. security through obscurity) and other obscurity techniques are very important parts of security. One can only hide behind the complexity of a hash or the teeth (or bittings) of a key for so long before a diligent "hacker" can undermine these protections.

Computational complexity does so even if the methodology or algorithm itself is well-known, there being no presumption of ignorance on the part of the attacker. Security through obscurity depends entirely on the attacker being unaware of how a security system works, and being presumed unable to ever figure it out.

That rarely works well in practice, if you're attempting to obscure something that someone else wants badly enough. On the other hand, if the unauthor

How so? Passwords are just obscure strings, as are public/private keys. If someone knows what the string is it's no longer secure. A OTP is just an obscure algorithm to generate passwords, etc, etc, etc...

The real problem for Gov Huckabee is that if he plans to run again for President this will become an issue - an IPGate that he wants to avoid so it can't be used against him.
Of course, the press will start to look for other ways to get the information.
Of course, the real problem is the coverup - did the Gov order the information not to be released? Did he know someone in government was using official computers for political purposes?

When I read that the "state rules don't allow using computer resources for political purposes" it seems clear to me that someone broke the law by using one or more State of Arkansas computers to perform the edits. The decision by the State court tells me that they are either clueless about technology or there's collusion between State agency's. Now, that couldn't be?

To say that I don't have to provide information in a criminal case because my computer could be hacked is laugh. Come on! ANY public IP address can attacked. The IT director is not telling the truth because she's either ignorant (and misinformed by her staff) or outright lying. She should be fired either way. Then again, lying seems to be a job requirement for most leadership positions within government nowadays. Maybe she gets a raise?

It's simple, a public IP address was used to break the law. The organization should be required to identify the internal machine that used that use that public IP address. Unless of course they no longer have the logs to provide that information. Oops, your honor, the logs weren't working during that time.

You have a few misconceptions. Perhaps you should RTFA and maybe learn some things about Arkansas law first. It wasn't hard but with little effort, I found that state agencies are allowed to set rooms aside for political campaigns as long as the are generally open to the public and do no discriminate on party or political affiliation. This entire edit could be little more then someone within the law making an edit from a private computer in one of these rooms.

When Reverend Huckabee runs for president again in 2012, just remember then that you can't see how much of his Wikipedia entry was cooked by his staffers still buried in the Arkansas government he controlled up until he ran for 2008.

Huckabee might be a talking snake person who believes that the rapture will render all national security interests moot too. Did you see his platform? Memorable note was the politically suicidal attempt to introduce THE FAIR TAX PLAN http://www.fairtax.org/site/PageServer [fairtax.org] [grass roots people just like Obama]. He made a political statement, and let a (presumably) more electable candidate have the nomination. He stinks of being RATIONAL, NOT "Talking snake!"

#1: Obama is not a "grass roots person", he was the Democratic candidate, which is the largest political organization in the world. Nice try at making Huckabee look like Obama, when they're totally different. Especially since Huckabee isn't at all grass roots in any way.

What are you correcting? I didn't say he was governor past January 2007. I said he "ran for 2008", which every exhausted American in the electorate knows used up all of 2007 campaigning, too, like all the candidates did. He did evidently leave enough staff buried in the government that they're still busy doctoring his Wikipedia article.

BTW, since most of you Arkansans know Huckabee is a joke, how do you explain those who don't get it [slashdot.org]?

Knowing the name of the agency and the building would make it easier for reporters to pursue the truth about who did the editing and why. You can't question a suspect until you obtain knowledge about their current location and their presence at the place and time of the incident being investigated.
It's not about computer security. It's about government agency PR and legal liability.

I'll bet if the Huckabee staffers were accused not of whitewashing Wikipedia articles, but rather downloading copyrighted music on BitTorrent, the tone of this/. discussion would be entirely different. (I'm just sayin'...)

That's OK -- we're all a bit hypocritical about some things. I, myself, have been known to indulge in the fine art of hypocrisy now and then...

Actually, I'll bet if the Huckabee staffers were accused of d/l'ing copyrighted music on BitTorrent, and the people suing were the RIAA instead of some journalists, the judges ruling would have been different!

Obviously the notion that they can't provide the IP information for security reasons is bogus.
But could we not look at this decision as a win because it may set a vital precedent for similar cases in the future? The government has ruled it cannot be forced to give out IP information on people accused of wrong-doing on the Internet. By this logic, neither should ISPs or people who run a website be forced to surrender their logs at request.
Surely the government wouldn't take privileges unto itself that it

>Obviously the notion that they can't provide the IP information for security reasons is bogus.

That determination is for the higher court to make. I read it more like a judge saying "That's all you've got, an IP address? You need better evidence in my court. Dismissed."

I might be inclined to make the same judgment if you brought me and IP address from a log in a leaf node and said this was proof without reasonable doubt of a crime. Why didn't the original request ask for a name? I certainly would ex

That determination is for the higher court to make. I read it more like a judge saying "That's all you've got, an IP address? You need better evidence in my court. Dismissed."

I might be inclined to make the same judgment if you brought me and IP address from a log in a leaf node and said this was proof without reasonable doubt of a crime. Why didn't the original request ask for a name? I certainly would expect a court to respond more favorably to an accusation of a person, than one against a number.

Is this even that big of an issue? I know that that state owned computers shouldn't be used for political purposes, but it's not like there's lasting damage. The vandalism probably disappeared within a few minutes (tip of the hat to counter-vandals). This looks like making a mountain out of a mole hill.

The IP could be traced, eh? I guess they should have used https://www.torproject.org/ [torproject.org] to do those edits... if Tor users are not blocked from creating users at the moment, which is frequently is. "We traced those edits to some IP in China which happens to be a Tor server, now what do we do?"